Tuesday, April 18, 2017

A letter from the IRS

Fraudsters may have viewed information appearing on your federal tax return. Information viewed may include: type of tax return filed, type and amounts of income reported, income tax, untaxed pensions, untaxed individual retirement account distributions and payments, exemptions, and education credits.

This weekend I had the dubious pleasure of reading a letter that begins with these two paragraphs.

In March, the Internal Revenue Service removed a Data Retrieval Tool from its website, a tool used by many families to retrieve income and tax information necessary to fill out the Free Application for Financial Student Aid, but also a tool that had been compromised by criminals to obtain personal information on some 100,000 taxpayers.

According to a story by Brian Krebs, the Data Retrieval Tool was intended as a way for students who may not have ready access to their parents' tax returns, to look up the parents' Adjusted Gross Income - a key figure used by colleges and universities to determine how much and what forms of aid to award enrollees.

The letter from the IRS though suggests far more information could be accessed through the Data Retrieval Tool though.
"Fraudsters may have viewed information appearing on your federal tax return. Information viewed may include: type of tax return filed, type and amounts of income reported, income tax, untaxed pensions, untaxed individual retirement account distributions and payments, exemptions, and education credits."
The IRS has arranged for credit monitoring, identity theft insurance, and "other services that will allow you to monitor your personal accounts." A possible interpretation of this letter is, the attackers could see complete federal tax returns rather than just the income information intended to be accessed through this tool. I have no inside knowledge of what was truly exposed. I am only reading between the lines based on what the IRS stated in their letter.

Depending on exactly what was exposed, "IRA distributions" could include not only the dollar amount but also the financial institution and account numbers. IRS form 5498 ("IRA Contribution Information," which your financial institution provided to the IRS) includes a field for your account number. In other words, a tax return has more than enough information for a scammer to convincingly impersonate you to your bank, to social engineer bank personnel into granting them access to bank accounts.

What can you do?

If you are affected by this data breach (or any breach of personally identifying information for that matter), here are a few things you can do:

  1. Take advantage of the credit monitoring offered by the IRS. Stolen identity information can be used to open new credit accounts in your name, and as far as the lender is concerned, you are on the hook. Credit monitoring alerts you to such new accounts quickly, giving you a chance to do something about it before the crook runs up debt.
  2. Place a Fraud Alert or Security Freeze on your credit report. In truth, every US consumer should do this, whether or not you are the victim of identity theft. A Fraud Alert tells potential creditors to take extra care in verifying your identity before issuing credit. Generally that means the creditor will call you at the phone number you provide in the fraud alert. While it is not mandatory, it is in the creditor's best interest since by US law they are on the hook for fraudulent credit.

    A Security Freeze, on the other hand, denies would-be creditors access to your credit report. They cannot view your credit history, and they cannot place new accounts on your credit report.
  3. Establish an IRS Identity Protection PIN (IP PIN). An IP PIN is essentially a password for your tax return. Crooks use taxpayer information to file fraudulent tax returns, claiming significant refunds. While the tax filing deadline for the 2016 calendar year just ended, tax fraud will undoubtedly spike again next February and March. With an IP PIN, a fraudster cannot file a return using your identity without also having that PIN.
  4. File early next year (and every year following). A criminal cannot file "your" tax return if you get there first.
  5. Call your bank: alert them to the possibility someone may try to impersonate you. Ask what options they have for extra protection. USAA just sent the below memo to all of its customers, extending multifactor authentication to telephone customer service. This is a fantastic idea: customers calling in for service (or scammers calling in to steal your money) will need an extra password sent by email or SMS. To my knowledge USAA is the only bank that offers this added layer of security, but I will be very happy to be proven wrong -- please comment below if you are aware of other banks that do this.

USAA is extending multifactor authentication to customer service calls.

Tuesday, March 28, 2017

Hackers threaten mass iCloud carnage: don't panic, but do enable 2FA

There have been rumblings in recent weeks (with varying degrees of credibility and/or paranoia) of several hundred million Apple accounts stolen by hackers, with a threat that the iPhones, iPads, and iCloud backups associated with these accounts will be deleted on April 7 unless Apple pays a ransom fee. The threat is that owners of those account could wake up to find all their pictures, all their files, all their data, deleted forever.

ZDNet's Zack Whittacker has a sane take on the matter: Apple has not been hacked, but people are prone to reusing the same passwords across all the apps and websites they use - many of which have been breached. ZDNet's analysis has found that not all the accounts the hackers claim to have compromised, are indeed compromised - but a not insignificant number are.

What you need to know:
  • If you haven't changed your Apple (aka iCloud) password recently (as in, within the last 6 months or so), it wouldn't be a bad idea to change it now. 
  • Use separate passwords for each account, so one stolen password doesn't put all your other accounts at risk.
  • Enable two-factor authentication on any accounts that matter to you, so a stolen password by itself isn't enough to break into your account and steal or delete your valuable data. Here's how to enable it on your Apple ID: https://support.apple.com/en-us/HT204915

Friday, March 24, 2017

Why is this website impersonating the FBI-run InfraGard?

The real and fake InfraGard websites side-by-side

Can you tell which is the real InfraGard login screen?

InfraGard is a partnership between the FBI and private business, created to share information about threats. It consists of members from private business, state and local government agencies, state and local law enforcement agencies, schools and universities. Some of the information shared to members - while not classified - is also not entirely public.

The true web portal for InfraGard is www.infragard.org -- the image on the left.

Someone created a pretty convincing replica of the real portal, at www.infragard.com -- the image on the right. Other than a few outdated images, the only noticeable differences are that the replica domain name ends in .com instead of .org, and the replica is served over non-secure http instead of https.

Tuesday, March 21, 2017

Cisco's CIA Vault7 exploit in context

Cisco issued a security bulletin on March 17, disclosing a remote code execution vulnerability in the Cluster Management Protocol function of IOS and IOS XE software, affecting over 300 Cisco switches and routers. Through this vulnerability, remote attackers can take complete control of a network device.

Cisco discovered the flaw while going through the WikiLeaks "Vault7" documents believed to have come from the CIA, suggesting that the flaw has been actively exploited. Naturally, every tech writer on the planet has rushed in to write doom and gloom stories of mass exploitation.

Slow down just a bit.

Those following long-standing best practices for securing infrastructure hardware are not at risk. The vulnerability can only be exploited through the Telnet protocol, and requires access to the management interface of a switch. 

Telnet communicates with a remote device unencrypted - transmitting usernames and passwords, as well as commands and configuration details, in the clear where anyone listening can intercept them. All modern switches and routers support SSH, which serves the same purpose but with an encrypted connection.

Disable the Telnet service on your Cisco switches, restrict management to an isolated management network, and update the OS as soon as practical once Cisco issues a fix.

Carry on.

Wednesday, March 15, 2017

Facebook Messenger phishing scam

A phishing scam is using Facebook Messenger to spread, by telling your friends a video of them has gone viral.

Updated 20-March: My initial analysis was limited due to traveling without my laptop, and with unreliable data service. I've updated the post with a few additional domains to block, and to show the different behavior on mobile versus PC.

There’s a scam making the rounds on Facebook, making use of Facebook Messenger to spread. (Sysadmins, scroll to the bottom for a list of domains to block).

It starts when you receive a message from a friend, that simply says your name, with your profile picture designed to look like a preview of a video with hundreds of thousands of views. The implication is there is a “Facebook Video” of you that has gone viral.

Saturday, February 11, 2017

Quick and dirty malicious PDF analysis

Analyzing weird things forwarded by friends and family is a great way to keep my DFIR skills sharp.

Friends and family regularly send me things they find suspicious or weird. Sometimes it turns out to be malicious, and other times perfectly fine, but I'm always glad to know I've instilled a proper degree of skepticism in my friends.

My willingness to help has an ulterior motive: aside from the "herd immunity" that comes from helping those around me stay safe, analyzing weird things they see helps me keep my own skills sharp. It also can alert me to new or resurging threats, such as the Disney theme park scams so common around customary family travel periods.

Today's story is about a phish. A simple phish, but one with lots of red flags to call out, and that called to my attention some new features Google introduced in Chrome last month. As with many phish, this one begins with an email. Nothing fancy, just a brief memo that a voice message has arrived.

Wednesday, January 25, 2017

It's tax fraud season!

Tax season means tax fraud season. Here are a few common schemes to watch out for, along with tips to protect yourself from fraud.
1040 Individual Tax Return, by 401kcalculator. Used under license CC BY-SA 2.0

It's tax season. That means it is also tax fraud season. 

Early in the year is prime time for tax-related scams targeting both consumers and businesses. I see these start to appear around late December, but tax-related scams tend to peak in March. It makes sense that consumer scams would peak as the April 15 filing deadline approaches - but it's rather illogical that this is also true for business compromise. Employers, charities, and financial institutions are generally required to provide tax documents to consumers by January 31, so a successful business-oriented scam in March is a bit of a head-scratcher. Nonetheless, that's what the data show. 

What follow are explanations of some common tax-related threats this time of year, along with tips to protect yourself.

Tuesday, January 17, 2017

How to be your daughter's hero, DFIR edition

Not only is digital forensics useful in cybersecurity, it can make you a hero in your daughter's eyes!

Every now and then, my day job pays dividends at home. Shortly before Christmas was one such occasion.

My daughter (a foreign exchange student my family is hosting, but she quickly became a daughter to us) had just spent a weekend with a friend. The friend too was a foreign exchange student from the same country as my daughter, but was near the end of her exchange, and was soon to return to her their home country. My daughter had taken many pictures of their weekend together, and had uploaded them to the friend's computer.

As is commonly the default, uploading the photos to the computer also deleted them from her camera.

By the time she discovered that, the friend had already begun her trek home. Several gigabytes of photos are not hard to transfer over WiFi or with a flash drive ... it's a different story when all you have is a cellphone hotspot with a limited data plan, or a costly and rate-limited airport wireless service.

Much to my wife's chagrin I am a sucker for my daughters' pleas for help. That holds true whether from the daughters born to my family or the daughter we are hosting. Just about any dad would say the same. Fortunately, one doesn't spend twenty years in technology and digital forensics without learning a few tricks.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.